sdg:
sdg:
-
16
Risk Management
Managing risks, whether related or not patient care, is an essential activity for sustainability in the healthcare sector. At Rede D’Or, we map and adequately assess our risks, and ensure agile and efficient management of each of them. Advancing this process, in 2023, we consolidated the relationship between our oversight departments, ensuring that those involved in corporate risk management share a single view of the Company’s risks.
We have a risk assessment process as well as a risk matrix, resolved annually by the Board of Directors, which is also responsible for periodically assessing strategic risks. In 2023, we completed our Climate Risk Matrix, which was incorporated into our risk management process (more information here). Executive officers and Executive Committees set performance goals and are responsible for overseeing progress of climate-related goals.
We also have a Risk Management Policy that sets out the principles, guidelines, concepts, actions and responsibilities that management members must comply with when dealing with uncertain events capable of impacting the Company’s goals.
The policy is annually reviewed and monitored by the Board of Directors, the Audit Committee, the Risks and Internal Controls Executive Office, the Compliance Department and the internal audit (which acts independently and objectively, reporting to the Audit Committee).
Rede D’Or’s risk assessment
Risk assessment encompasses five steps: identification; analysis and assessment; treatment; monitoring and critical analysis; record and report to stakeholders.
Building Rede D’Or’s Corporate Risk Matrix
GRI 2-25
Main types of risk
Forms of Mitigation
Credit: losses generated by the default of customers, financial institutions or counterparts of financial instruments.
Credit Risk: Periodic analyzes and adoption of effective collection methods.
Liquidity: lack of sufficient funds to fulfill obligations associated with financial liabilities.
Liquidity Risk: Continuous monitoring of cash flows. Financial investments of a speculative nature and with high financial risk are avoided.
Interest rate: impacts on financial investments, loans, financing and debentures contracted in local currencies, resulting from changes in interest rates.
Exchange: related to the change in value of future cash flows of a financial instrument due to fluctuations in foreign currency.
Market Risk: Monitoring the behavior of interest and exchange rates, in addition to the search for hedging instruments.
Compliance: concerns the imposition of legal or regulatory sanctions and financial or reputational loss as a result of non-compliance with laws, agreements, regulations, Code of Conduct and internal policies and procedures.
Compliance Risk: Monitoring new laws and regulations to which the Company may be subject. With this, we are able to adopt, if necessary, an action plan to align Rede D’Or with these new laws.
Strategic: Caused by changes in the external environment, in the political, economic, market, competition and technological innovation areas, among other causes. It refers to risks related to our strategy in seeking to create, protect and grow value.
Strategic Risk: Defining, each year, the strategic planning for the following period, with input from executive officers and key professionals. Performance indicators are discussed, as well as an action plan for possible course corrections.
Operational: Involves activities linked to the operation of the business and management of support areas. It is generated by the inadequacy or failure in management of internal processes or by people who may hinder or impede the achievement of the Company’s goals.
Operational Risk: Testing of internal controls by the Audit area, in order to ensure their effectiveness and determine whether they are enough to mitigate operational risks. Monthly monitoring of performance indicators for organizational processes.
Cyber: Threats that can exploit vulnerabilities in our assets, impacting the confidentiality, integrity and availability of information.
IT: Threats that may compromise the confidentiality, integrity and availability of information, including intellectual property and commercial and personal data of patients and employees.
Cyber and IT Risks: Review, by the Information Technology (IT) area, of all internal controls, in order to increase the security of information systems and data protection.
Regulatory/Legal: When laws or regulations (including legal amendments or the partial or complete absence of their application) may have strategic, image and/or financial impacts, or have the power to significantly affect management and business.
Regulatory/Legal Risk: Continuous monitoring of compliance with laws and regulations to which we are subject.
Social and environmental: Possibility of losses as a result of negative effects on the environment and society caused by impacts on ecosystems, people and native communities, protection of human health, cultural properties and biodiversity.
Social and environmental risk: Continuous monitoring of any possible environmental or social impacts caused by our activities (especially greenfield and brownfield projects).
Management of impacts and critical topics
GRI 2-25, 3-3
The year 2023 marks the achievement of maturity and excellence in risk management in our Company, evidenced by the active participation of executive officers in monitoring risks, the involvement of the several areas that work in the governance and a broader scope of the risk management process in our business.
We manage all identified risks, ensuring that potential impacts linked to the business can be anticipated and prevented. The projects and actions proposed by the Executive Board to mitigate economic-financial and operational risks and impacts are monitored by the Risk Committee, in quarterly meetings, as well as other agendas that require discussions based on the Risk Matrix and inputs from different areas. The Climate Risk Matrix is used specifically to manage climate impacts, the negative impacts of which we manage with appropriate repairs.
In February 2023, we launched a Distance Learning program at Academia Rede D’Or, our corporate training platform, which allows employees at coordination, supervision, management and senior management levels to have access to the Company’s concepts and vision on risk management. Also to spread the risk management culture among our team, the topic is discussed in the Company’s thematic meetings (through commissions and committees).
Additionally, in 2023, we participated in a debate on the importance of managing non-healthcare risks, within the context of sustainable development, promoted by the National Association of Private Hospitals (Anahp), alongside other important players in the healthcare sector. Rede D’Or’s debate presentation focused on the importance of managing multiple risks, considering the sustainability front and the relevance of establishing a risk culture.
Due dilligence
GRI 2-25
Based on specific regulations on the identification and assessment of social and environmental risks after mergers and acquisitions, before and during the acquisition of new hospitals, we foresee a series of analyzes and investigations (due diligence) to identify the existence of environmental risks or liabilities. These analyzes are submitted to our senior management. If approved, after acquisitions, the company acts preventively by establishing control actions and procedures to mitigate the risks inherent to the business. The Compliance department works to define the rules and general criteria related to third-party integrity risks, in an integrated manner with the procurement of materials, equipment and services. This department is also responsible for risk assessments before formalizing sponsorships, donations, gifts, hospitality and partnerships.
Data privacy and information security
GRI 3-3, 418-1, SASB HC-DY-230a.2, HC-DY-230a.3, HC-DY-230a.4
We are committed to the privacy and protection of the data of our patients, employees and other stakeholders. Therefore, we employ processes and tools in operations involving the processing of personal data to protect them from accidental and/or illicit situations that may create risks to the holders’ right to privacy.
We ensure data protection in line with the Brazilian General Data Protection Law (LGPD, in Portuguese) – Law 13,709/2018, offering the holder management over their information. Based on a Privacy and Data Protection Governance Program, we structure a chain of management of actions, campaigns and processes that involve the processing of personal data. Among the initiatives are the adoption of a governance and operation model, management and processes appropriate to the processing of personal data and the definition of roles and responsibilities in relation to privacy. In 2023, we received no fines nor had complaints reported to the National Data Protection Agency (ANPD, in Portuguese) regarding privacy violations.
Our Privacy Program was developed based on the National Institute Of Standards and Technology’s (NIST) Privacy Framework and the Privacy Governance Program Development Guide, made available by the Ministry of Economy, demonstrating our respect for the rights of freedom, image, honor and privacy of individuals and society in general. The Program covers all companies in the group (Rede D’Or, Oncologia D’Or, GTS, Richet and IDOR) and guides, through the abovementioned frameworks, stakeholder engagement a well as the main measures, goals and targets, processes that are intrinsic to these frameworks on which we base this Program [GRI 3-3].
Note: This chapter provides a contextual view of the impacts identified in the impact assessment process for the “Customer Privacy” topic within the Integrity, Risk, and Anti-corruption topic. Therefore, we described the relevance of such impacts to our business, along with their management measures, effectiveness, and stakeholder engagement. An actual positive impact was contextually reported, namely: “Increased use of data and digital technology.” We identified “Patient exposure due to data breach (LGPD)” as an actual negative impact. [GRI 3-3].
50 thousand+
people attended distance learning training on privacy
1,500+
areas mapped on privacy
Privacy Management Framework
Privacy Principles
The components of the privacy framework are internationally recognized foundations that provide the basis for the privacy management framework.
Privacy Management Framework
The framework elements provide a pragmatic structure for organizing the management and oversight necessary to mitigate subject exposure to privacy risks. They are distributed among 12 macro-domains that address several aspects related to data protection controls and good practices and that help ensure compliance with applicable privacy laws and regulations.
The governance model adopted in our Privacy Program features an improved decision- making process, which enables the adoption of more efficient actions. The Data Protection Officer (DPO) currently also has the role of Privacy Manager and has the support of the Risk Committee and the Privacy Committee. The professional is responsible for managing compliance with all Privacy Program’s pillars and acting as a focal point in interacting and responding to requests from data subjects and with the National Data Protection Authority (ANPD, in Portuguese). [GRI 3-3]
Contact channels with the Data Controller:
e-mail: [email protected]
To engage our professionals in complying with the rules set out in the LGPD, we offer a training and awareness program focused on privacy. Throughout 2023, several actions were carried out in a structured manner, including more than 250 action plans to carry out monitoring in the units; distance learning training for more than 50,000 employees; publication of the Employee Guide to Privacy II; announcement; and launch of a biannual online magazine addressing the topic, among other initiatives. [GRI 3-3]
Privacy Actions in 2023
GRI 3-3
Information Security
We are committed, through our Information Security department, to ensuring the protection of information assets, applying robust controls and measures to preserve the confidentiality, integrity and availability of information. We constantly seek to improve our safety processes, ensuring the trust of our patients and employees.
See details on the official "Information Security" page.